Skip to content

Allow GUC change during PG startup #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
kathia-barahona wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Allow GUC change during PG startup #29

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions src/aiven_gatekeeper.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,11 @@ static bool BUG_01 = true;
static bool
allowed_guc_change_check_hook(bool *newval, void **extra, GucSource source)
{
// Allow the change during early startup
if (!IsUnderPostmaster) {
return true;
}

/* don't allow setting the config value from an elevated context
* otherwise a combination of ALTER SYSTEM SET aiven.pg_security_agent TO off;
* SELECT pg_reload_conf(); could be used in a two step attack to disable
Expand All @@ -119,6 +124,11 @@ allowed_guc_change_check_hook(bool *newval, void **extra, GucSource source)
static bool
allowed_guc_change_allowed_superusers(char **newval, void **extra, GucSource source)
{
// Allow the change during early startup
if (!IsUnderPostmaster) {
return true;
}

/* same as with the boolean version */
return !(pg_security_agent_strict || creating_extension || is_security_restricted() || is_elevated());
}
Expand Down